setproctitle [was: How do I change a process name or even a thread name in python!]
Jeff Epler
jepler at inetnebr.com
Wed Feb 14 09:14:30 EST 2001
On Tue, 13 Feb 2001 19:16:53 -0500 (EST), Steven D. Majewski
<sdm7g at virginia.edu> wrote:
>The actual args to (C) setproctitle is a format string and optional
>args, but it makes more sense to do any string formatting in Python,
>and just pass that string.
Actually, this is unsafe, and has been the cause of a number of bugs
recently exposed on Bugtraq.
Imagine that you are writing an ftp server which uses 'setproctitle' to
change its process name to give information including the e-mail address an
anonymous user gave when he logged in. The user might pass a string like
"%x%x%x%x", which will be treated as printf-style specifiers by setproctitle.
So, rather than
setproctitle(new_title);
you must
setproctitle("%s", new_title);
to be safe.
See bugtraq or search for "setproctitle format vulnerability" for more
details on this potential security risk. One URL:
http://www.hert.org/papers/format.html
Unfortunately, that means the convenience function in the posix module
can't be used.
Jeff
jepler at inetnebr.com
More information about the Python-list
mailing list